Three Keys to Real Security

 < Day Day Up > 



Authentication, privacy, and access control (or authorization) are the three key services necessary for comprehensive wireless LAN security. Although each of these security services can be delivered, the challenge is to ensure they are reliable, interoperable, scalable, and cost-effective. And if you want to deliver these solutions sooner rather than later, the systems chosen must be flexible enough to integrate with existing mobile devices and network infrastructure.

Authentication: In many environments, the principal need is for a WLAN security system that authenticates users via an existing user ID and password. In some WLAN systems, authentication is transparent, with the standard Windows login information passed to a wireless authentication system. In other cases, end-users are given enough initial network access to pass credentials to a web-based authentication server, and if the process is successful, they are given extended network access. In more sophisticated implementations, a server authenticates the users, and they, in turn, authenticate the wireless network to ensure they are not being seduced by rogue access points.

start sidebar
WEP'S WEAKNESSES

WEP (Wired Equivalent Privacy) is an optional IEEE 802.11 feature used to provide data security that is equivalent to that of a wired LAN without privacy-enhancing encryption techniques. WEP allows a network administrator to define a set of respective "keys" for each wireless network user based on a "key string" that is passed through the WEP encryption algorithm. Network access is denied by anyone who does not have the required key. 802.11a and b specify that WEP use the RC4 algorithm with a 40-bit or 128-bit key (152 and 512-bit key versions also now exist). When WEP is enabled, each station (computing devices and access points) has a key. The key is used to encrypt the data before it is transmitted through the airwaves. If a station receives a packet that is not encrypted with the appropriate key, the packet will be discarded. This was supposed to prevent unauthorized network access and eavesdropping.

The IEEE 802.11 Working Group designed WEP with the initial goal of providing a level of security that conformed to the difficulty of tapping Ethernet network traffic. In the case of wired Ethernet, you would need physical access to a network to sniff packets and intercept data. So while WEP's minimal security meets at least that level of protection, it fails because of flaws in the conception and implementation of the protocol.

But to be fair, some of those flaws are a result of computational limitations that were in existence when the specification was being developed. The number crunching expected to be available on the Wi-Fi cards was orders of magnitude lower than what was available even in 1999. Other flaws had to do with the then current export restrictions on strong encryption, which placed an initial limit on WEP to just 40 bits.

But WEP also has other weaknesses, including bad packet integrity checking (i.e. an interloper could insert or modify data in transit without being caught), and the requirement that all users on a network use the same keys, which must be manually entered (unless a network authentication system is in place).

end sidebar

The IEEE 802.1X protocol, used in conjunction with Extensible Authentication Protocol (EAP), is the key component for future standards-based WLAN authentication. EAP is an authentication protocol that supports multiple authentication mechanisms. It typically runs directly over the OSI's Data Link Layer, without requiring IP, and therefore includes its own support for in-order delivery and retransmission. While most of the enterprise-oriented WLAN vendors have built 802.1X support into their newest access points, the availability and interoperability of 802.1X clients are somewhat limited.

Privacy: Privacy (encryption) services commonly are linked to authentication such that unique per-session keys are distributed at the time of authentication. Most network managers believe encryption is mandatory, or at least desirable. Unfortunately, WEP, which is the most widely implemented WLAN encryption standard, requires frequent rekeying to be effective. Many products available today use, or offer firmware upgrades to, TKIP (Temporal Key Integrity Protocol), which is an interim fix to WEP. TKIP overcomes some of WEP's known vulnerabilities without requiring hardware replacement. But most industry experts agree that TKIP is more of a tactical bandage than a strategic cure.

In the long run, the industry will implement AES (Advanced Encryption Standard), which offers more robust encryption methods; but that transition will require new hardware. The author notes that some WLAN chipsets now ship with integrated AES encryption. Check to see if the hardware you use supports AES.

Access Control: Controlling user and group access to specific servers and applications based on credentials is an important element of many enterprise networks. But although access control is arguably one of the most critical security services, it is not effectively addressed in emerging WLAN standards.

In fairness to the IEEE 802.11 committee, access control is often seen as a component of policy-based network management, which should be applied to all wired and wireless LAN technologies at higher protocol layers. Likewise, accounting, which is important for some enterprise environments and critical to the emerging WLAN HotSpot market, is an element that will be managed up the stack, not at the Physical or Data Link Layers.

Now let's see how the reader can secure a WLAN. While the three aforementioned keys play a large part in deploying a secure WLAN, there is more that can and should be done to ensure your wireless data is secure.



 < Day Day Up > 



Going Wi-Fi. A Practical Guide to Planning and Building an 802.11 Network
Going Wi-Fi: A Practical Guide to Planning and Building an 802.11 Network
ISBN: 1578203015
EAN: 2147483647
Year: 2003
Pages: 273

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net